The SOC 2 Plus CDR approach to accreditation requires a few adjustments to the standard SOC 2 reporting method, but the benefits often outweigh the effort.
The Consumer Data Right (CDR) is a regulatory framework that allows service providers to access consumer data collected by banks, with other industries expected to follow. To participate, organizations must earn CDR accreditation, which includes submitting an assurance report verified by an independent chartered accountancy firm. These reports must align with Service Organization Control (SOC) standards.
SOC reports can be confusing due to the range of international acronyms, such as ASAE/ISAE 3150/3402, SSAE 16/18, ATC-105, and ATC-205. In the U.S., they’re broadly categorized as SOC 1 (focused on financial reporting controls) and SOC 2 (focused on trust principles like security, confidentiality, availability, processing integrity, and privacy).
For CDR purposes, a SOC report can be used if it adequately demonstrates compliance with the requirements listed in CDR Schedule 2. That’s where SOC 2 Plus CDR comes in.
How to Align Your SOC 2 With CDR Schedule 2
A CDR assurance report is essentially a tailored SOC 2 report. In some areas, CDR requirements are more prescriptive than SOC 2 while in others, less so. The flexibility of the SOC 2 framework allows us to adjust accordingly.
Here are five key ways we tailor the SOC 2 report to meet CDR expectations:
1. We Map Your Controls to SOC 2 and CDR Schedule 2
We use software to automatically map your controls across SOC 2 and CDR Schedule 2. This eliminates redundant work and ensures your report shows clearly how you meet the relevant criteria. We include a mapping table in Section V of your SOC 2 report so the Australian Competition and Consumer Commission (ACCC) can easily see how Schedule 2, Parts 1 and 2, are addressed.
2. Align Your Control Descriptions to Schedule 2, Part 2
SOC 2 does not prescribe specific controls like multifactor authentication (MFA), software whitelisting, or incident response, though many reports include them. CDR Schedule 2, Part 2, does prescribe these controls. To meet CDR expectations, we ensure your control descriptions reflect these higher, defined requirements.
3. Follow SOC 2 for the Schedule 2 Part 1 Requirements
Schedule 2, Part 1, includes governance, security capabilities, and incident response, but provides limited detail. SOC 2, however, offers well-established guidance in these areas. We lean on these common practices to meet and document the Part 1 requirements.
4. Define the Boundaries of the CDR Data Environment
SOC 2 requires a clear system description, including infrastructure, software, data, people, and processes. To align with CDR, we ensure your report defines the scope of the CDR data environment specifically, either as the entire system or as a clearly delineated subset of a broader environment. Our updated templates help you frame this appropriately.
5. Apply the Carve-in Approach to Service Providers
SOC 2 traditionally allows a “carve-out” for third-party providers, but in practice, we take a “carve-in” approach—verifying their controls where they impact your environment. This is straightforward for major cloud providers that already have SOC 2 reports. For vendors without assurance reports, additional verification may be needed, especially if they handle critical infrastructure such as physical data centers.
Why Choose SOC 2 Plus CDR?
Compared to a CDR-specific ASAE 3150 report, SOC 2 Plus CDR offers multiple advantages. It aligns your organization with an internationally recognized assurance framework while providing cost and efficiency benefits. Because SOC 2 is widely adopted, many of its required controls and reporting elements are already in place at most organizations—making this a more scalable and strategic approach.
To explore whether SOC 2 Plus CDR is the right fit for your CDR accreditation journey, contact us. We’d be happy to help.
